Does vPenTest meet PCI 4.0 third-party pen test requirements?

ANSWER  Yes, we've seen independent analysis of the new rule that suggests that the combination of our platform and a Q/A review of the report with the end client should meet compliance.

PCI requirements

Requirement 11.4.2b and 11.4.3b are the least fun parts. They add to their PCI DSS 3.2.1 predecessors (11.3.1b and 11.3.2b) by mandating that the complying entity not only verify that a "qualified internal resource or qualified external third-party" carries out the pen test, but that the entity must also interview involved personnel as part of the verification process. Likewise, requirement 11.4.5c (replacing 11.3.4c) specifies that segmentation pen-testers be interviewed.

NOTE  Vonahi Security or vPenTest is the qualified external third-party.

In other words, third-party pen-testers may have to sit down and be grilled about how they conducted the tests, how they got into systems, what they found, and so forth.

The requirement is vague enough so that a detailed pen-test report presented in an in-person meeting with the client may qualify as an "interview" as long as the client asks questions, but it might be best to bring along some of the front-line pen-testers just in case. It definitely means that pen-testers will need to document every step of the pen-testing process if they're not doing so already.

NOTE  Paragraph three is our approach and the narrative section in our technical report is sufficient to show "what we did, how we did it, what we found" and the MSP would review that with the end client.